豆子今天无聊在github上看看有什么有意思的PowerShell脚本,无意中发现了PowerSploit这个项目,仔细看了看,这个模块是针对***测试写的,里面有大量相关的***脚本,随便找了一个试试看。
比如说这个,可以用来记录键盘的输入内容,完整的脚本我就不贴出来了。
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Exfiltration/Get-Keystrokes.ps1
具体实现的功能先不去考虑,我很好奇他是怎么在后台执行的。可以看见脚本末尾这个作者使用的是runspace,他创建了一个runspace,然后传入脚本块和对应的参数,然后触发;
# Setup KeyLogger's runspace $PowerShell = [PowerShell]::Create() [void]$PowerShell.AddScript($Script) [void]$PowerShell.AddArgument($LogPath) if ($PSBoundParameters.Timeout) { [void]$PowerShell.AddArgument($Timeout) } # Start KeyLogger [void]$PowerShell.BeginInvoke()
这种方式看起来很眼熟啊,豆子之前学习多线程的时候,就是使用runspace来替代后台的job,因为runspace的性能效率要高的多;
http://beanxyz.blog.51cto.com/5570417/1760880
事实上,我看了一下 这个***脚本之前也是使用的job,最新的版本改成了runspace,可见知识是相通的~
执行试试看
Get-Keystrokes -LogPath C:\temp\key.log
然后随便输入一下命令,查看一下对应的日志文件是否有记录 ,果然成功记录了
PS C:\Windows\System32\WindowsPowerShell\v1.0> gc C:\temp\key.log "TypedKey","WindowTitle","Time" "l","Administrator: Windows PowerShell ISE","9/06/2016 10:59:48 AM" "s","Administrator: Windows PowerShell ISE","9/06/2016 10:59:48 AM" "","Administrator: Windows PowerShell ISE","9/06/2016 10:59:48 AM" "g","Administrator: Windows PowerShell ISE","9/06/2016 10:59:50 AM" "c","Administrator: Windows PowerShell ISE","9/06/2016 10:59:50 AM" "< >","Administrator: Windows PowerShell ISE","9/06/2016 10:59:50 AM" "c","Administrator: Windows PowerShell ISE","9/06/2016 10:59:51 AM" " ","Administrator: Windows PowerShell ISE","9/06/2016 10:59:51 AM" ":","Administrator: Windows PowerShell ISE","9/06/2016 10:59:51 AM" "\","Administrator: Windows PowerShell ISE","9/06/2016 10:59:51 AM" "t","Administrator: Windows PowerShell ISE","9/06/2016 10:59:52 AM" "e","Administrator: Windows PowerShell ISE","9/06/2016 10:59:52 AM" "m","Administrator: Windows PowerShell ISE","9/06/2016 10:59:52 AM" "p","Administrator: Windows PowerShell ISE","9/06/2016 10:59:52 AM" "\","Administrator: Windows PowerShell ISE","9/06/2016 10:59:52 AM" "k","Administrator: Windows PowerShell ISE","9/06/2016 10:59:53 AM" "e","Administrator: Windows PowerShell ISE","9/06/2016 10:59:53 AM" "y","Administrator: Windows PowerShell ISE","9/06/2016 10:59:53 AM" " ","Administrator: Windows PowerShell ISE","9/06/2016 10:59:54 AM" " ","Administrator: Windows PowerShell ISE","9/06/2016 10:59:54 AM"
如果我不管他,我所有的键盘操作都会被记录下来,那怎么停止这个监听?
查看一下runspace,我估计第二个最新的runspace应该是我刚刚创建的
PS C:\Windows\System32\WindowsPowerShell\v1.0> Get-Runspace Id Name ComputerName Type State Availability -- ---- ------------ ---- ----- ------------ 1 Runspace1 localhost Local Opened Busy 2 Runspace2 localhost Local Opened Busy
查看一下有啥属性和方法,发现可以close掉他
PS C:\Windows\System32\WindowsPowerShell\v1.0> Get-Runspace 2 | gm TypeName: System.Management.Automation.Runspaces.LocalRunspace Name MemberType Definition ---- ---------- ---------- AvailabilityChanged Event System.EventHandler`1[System.Management.Automation.Runspaces.RunspaceAvailabilityEventArgs] AvailabilityChanged(System.Object, System.Management.Automation.Runspaces.RunspaceAvailabilit... StateChanged Event System.EventHandler`1[System.Management.Automation.Runspaces.RunspaceStateEventArgs] StateChanged(System.Object, System.Management.Automation.Runspaces.RunspaceStateEventArgs) ClearBaseTransaction Method void ClearBaseTransaction() Close Method void Close() CloseAsync Method void CloseAsync() Connect Method void Connect()
执行试试
PS C:\Windows\System32\WindowsPowerShell\v1.0> (Get-Runspace 2).close()
成功停止这个runspace,后面没有继续写入了。
现在我根据同样的方法,自己写了一个类似的小程序试试。我打算写一个后台程序,每隔30秒就弹出一个对话框,告诉我注意休息~
$scriptblock={ while($true){ $MessageboxTitle = “Health Reminder” $Messageboxbody = “Please have a break, my lord” $MessageIcon = [System.Windows.MessageBoxImage]::Information $ButtonType = [System.Windows.MessageBoxButton]::OK [System.Windows.MessageBox]::Show($Messageboxbody,$MessageboxTitle,$ButtonType,$messageicon) Start-Sleep -Seconds 30 } } $job=[powershell]::create() $job.addscript($scriptblock) $job.begininvoke()